Detections
Analytics
Fedora 38 : firecracker / libkrun / rust-event-manager / rust-kvm-bindings / etc (2024-f2305d485f)
critical Nessus Plugin ID 190506
Language:
Synopsis
The remote Fedora host is missing one or more security updates.Description
The remote Fedora 38 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2024-f2305d485f advisory.- vmm-sys-util is a collection of modules that provides helpers and utilities used by multiple rust-vmm components. Starting in version 0.5.0 and prior to version 0.12.0, an issue in the `FamStructWrapper::deserialize` implementation provided by the crate for `vmm_sys_util::fam::FamStructWrapper` can lead to out of bounds memory accesses. The deserialization does not check that the length stored in the header matches the flexible array length. Mismatch in the lengths might allow out of bounds memory access through Rust-safe methods. The issue was corrected in version 0.12.0 by inserting a check that verifies the lengths of compared flexible arrays are equal for any deserialized header and aborting deserialization otherwise. Moreover, the API was changed so that header length can only be modified through Rust-unsafe code. This ensures that users cannot trigger out-of-bounds memory access from Rust-safe code. (CVE-2023-50711)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Update the affected packages.See Also
https://bodhi.fedoraproject.org/updates/FEDORA-2024-f2305d485f
Plugin Details
Severity: Critical
ID: 190506
File Name: fedora_2024-f2305d485f.nasl
Version: 1.0
Type: local
Agent: unix
Family: Fedora Local Security Checks
Published: 2/14/2024
Updated: 2/14/2024
Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: Critical
Base Score: 10
Temporal Score: 7.4
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2023-50711
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Temporal Score: 8.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/o:fedoraproject:fedora:38, p-cpe:/a:fedoraproject:fedora:firecracker, p-cpe:/a:fedoraproject:fedora:libkrun, p-cpe:/a:fedoraproject:fedora:rust-event-manager, p-cpe:/a:fedoraproject:fedora:rust-kvm-bindings, p-cpe:/a:fedoraproject:fedora:rust-kvm-ioctls, p-cpe:/a:fedoraproject:fedora:rust-linux-loader, p-cpe:/a:fedoraproject:fedora:rust-userfaultfd, p-cpe:/a:fedoraproject:fedora:rust-versionize, p-cpe:/a:fedoraproject:fedora:rust-vhost, p-cpe:/a:fedoraproject:fedora:rust-vhost-user-backend, p-cpe:/a:fedoraproject:fedora:rust-virtio-queue, p-cpe:/a:fedoraproject:fedora:rust-vm-memory, p-cpe:/a:fedoraproject:fedora:rust-vm-superio, p-cpe:/a:fedoraproject:fedora:rust-vmm-sys-util, p-cpe:/a:fedoraproject:fedora:virtiofsd
Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list
Exploit Ease: No known exploits are available
Patch Publication Date: 2/5/2024
Vulnerability Publication Date: 1/2/2024
Reference Information
CVE: CVE-2023-50711
FEDORA: 2024-f2305d485f